Privacy Policy

At Chetcuti Cauchi, we are committed to the privacy of every person. We recognise that our clients, employees and people we work with, entrust important non-public personal data (as defined in the General Data Protect Regulation – GDPR, regulation 2016/679 of the European Parliament and Council of the 27 April 2016), to us, and we take seriously our responsibility to protect and safeguard this data. Our long-standing privacy policies and practices covering non-public personal data (herein also referred to as personal data or personal information) are described below.

1. Who are We?

Chetcuti Cauchi is a group of entities constituted and operating internationally and providing legal, tax, personal and business consultancy. Persons having a legal interest may obtain a list of the group entities by sending us an email on datacontrol@cclex.com.

Your non-public personal information is controlled by the group entity Chetcuti Cauchi Consulting Ltd, a company duly incorporated under the laws of Malta, having registration number C-47375. Your information is accessible to all group entities and processed by any one or more of such group entities depending on the services requested by you. All the entities of the Chetcuti Cauchi group follow and adhere to appropriate safeguards in line with EU law for the processing of non-public personal data.

2. What Data We Collect and How do we Use it

The non-public personal data that we collect and the processing of such information will vary on the basis of the purpose and scope of the particular use or engagement.

2.1 Visitors to our Websites

When someone visits our website/s we collect standard internet log information and details of visitor behaviour patterns. This information is collected through the use of cookies. You can read more about this in our Cookie Policy

This information is processed to improve website use, for our internal purposes including the administration of our website, market research, data analytics and compliance with our legal obligations, policies and procedures.

2.2 People who Request to Receive Updates and Information from Us

Chetcuti Cauchi frequently shares updates on legal developments and solutions that might affect you or your business through various means including mail, email and social media. If you consent to receive such updates, we will collect your name contact details and keep a record of the information we have sent you as well as any interactions related to such information sent to you. If you do not provide such information, we will not be able to provide you with updates.

The information so collected is used and processed to:

enter into, or perform, a contract with you;

remember your preferences or specific interests; and

for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our services.

2.3 People who Send us a Request for Information

Our websites provide for functions that allow users to request information about our services. The information collected through the request for information function on our websites is the following:

information you provide in the fields of the online form;

IP address;

date, time and data of our website/s access; and

identification data of the used browser.

You can also contact us through email, phone, or social media to request information. We will, therefore, be collecting any information you provide to us or available on the relative media used. We will also collect any correspondence in furtherance of the request. This information is necessary for us to be able to respond to your request. General and preliminary information will be provided to you without the requirement of any other additional personal information. An identification document and other personal information will be requested in order to comply with anti-money laundering rules and to be able to provide you detailed and specific information to your request. If you are not able or unwilling to provide us such information, we will not be able to provide any additional information.

Any personal information that you provide to us through these processes will be used and processed to:

provide you with the information you requested;

follow up with you on such request;

comply with any legal or regulatory requirement including compliance with anti-money laundering rules; and

for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our products.

2.4 People who Use our Services

When a client is being provided a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations, and information required to be able to provide the services. If you are not able or unwilling to provide us such information, we may not be able to provide the service/s.

The information collected varies depending on the service/s being provided. By way of example, for succession planning, we will typically collect all relevant data, including information about our client's personal assets, goals and preferences. Any personal information so collected will be used:

to provide you the relative service/s; and

to comply with any legal duty including compliance with anti-money laundering rules.

2.5 Prospective Employees

If you apply with us for a post we will collect the following information on you:

name and contact details;

your previous experiences and details of your previous jobs;

education details and transcripts;

referees names and contact details; and

answers to questions made to you during the recruitment process.

You are not obliged to provide this information although your application may be affected. We work with various recruitment agency and such information may be obtained from agencies you would have applied with. The information we collect will be used:

to progress your application;

to assess your suitability for employment;

to contact you on the progress of your application; and

comply with any legal or regulatory requirement.

We may request you to allow us to process your personal information to contact you for any other vacancy that may arise. Should you consent, we will contact you whenever a suitable vacancy will arise.
On acceptance of an employment offer of an employee, we may collect the following information:

identification document;

police conduct certificate or equivalent; and

health Information to ensure you are fit to work and to cater for any special conditions.

This additional information collected is processed to undertake pre-employment checks. This information is necessary to finalize you employment and onboarding process.

2.6 Employees

In addition to the information provided during the recruitment process, on employment, we will require you to provide the following details:

bank details to process salary payments; and

emergency contact details.

This information is required and will affect your employment if not provided. During your employment with us, other information will be collected:

you may make your contact details and other information available to the other employees. The systems provide control to the employees to update their profile with the information s/he would like other employees to access;

will be used to progress your employment with us and assess your performance; and

will be used to comply with any legal or regulatory requirement including registering you with the relevant employment authorities and paying National Insurance contributions and taxes on your behalf.

Our systems may prompt you to provide your marital status, number of children and other general interest questions. This information is not required and may not be provided. This information, if provided, will be used to improve your experience with us in furtherance of the social and family friendly initiatives that we may undertake from time to time.

2.7 Collaborators and Suppliers

We pride in choosing collaborators and suppliers that share our standards and commit to our level of privacy policies and practices.

On collaborators we work with and suppliers that provide us a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations and information required for the collaboration or the provision of the service by the supplier to us. If you as a collaborator or supplier are not able or unwilling to provide us such information, we will not be able to collaborate with you or use your services.

Any personal non-public information so collected will be used:

to contact you in furtherance of the collaboration or supply of service;

for our internal purposes including the administration of the flow of such information, data analytics, internal record keeping, financial and market research; and

to comply with any legal duty including compliance with anti-money laundering rules.

3. Legal basis for Processing

In line with the principle of data minimization and data economy, we only collect personal data and processes it on the following legal basis:

when you request our services or you are an employee, a collaborator or a supplier, our legal basis for collecting and processing information is based on and the requirements for the performance of a contract or to take steps to enter into a contract and/or legal regulations, mainly anti-money laundering regulations;

our legal basis for collecting and processing your personal data when you opt-in to receive information for us, or to participate in a conference, workshop is based on your consent;

we may collect and process information for legitimate interest, primarily to protect us from legal action or claims from third parties, including you and/or to protect our legal rights and/or those of our employees.

4. Recipients of Personal Data

We may disclose personal information legally in the following scenarios:

for the performance of a contract or to take steps to enter into a contract; and

to collaborating entities/persons that are required for the provision of services to you or with your consent.

group entities, including non-EU entities part of the group based on contractual terms issued by the European Commission (refer to section 6);

when there is a legal requirement to do so;

if we are requested to do so by a governmental or regulatory authority or by a court of competent jurisdiction;

to enforce our contractual terms;

in cases or merger or acquisition of our business or parts of it to the new owners;

to protect us and our employees from legal action or claims from third parties, including you;

5. Intra-Group Transfers of Data Within the EU/EEA

The free exchange of personal data between Member States is a fundamental aspect of the EU’s basic principles. This principle is also reflected in the GDPR, which excludes the restriction or prohibition of the free movement of personal data within the EU or EEA.

GDPR therefore allows for the transfer between EU/EEA companies subject to the legal basis as provided above in section 3 of this policy.

6. Transfers Outside the EU/EEA

The personal non-public data we collect from you may be collected stored or processed by or transferred between group entities, including our entities established outside the EU/EEA. To date, the European Commission has not determined the non-EU countries we are established in to have an adequate level of protection of personal data within the terms of article 45 of the GDPR.

In the absence of an Adequacy Decision, the GDPR provides that a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include contractual arrangements with the recipient of the personal data, using, the standard contractual clauses approved by the European Commission.

For this purpose, contractual arrangements based on contractual provisions as approved by the European Commission are in place to ensure effective legal remedies to you in relation to the processing of personal non-public data by our group entities outside the EU/EEA.

7. How Long do we Retain the Data

We retain the personal information that we collect from you only for as long as required for statutory, business, tax or legitimate interest purposes. Your information is retained in electronic or paper format or both. When it is no longer required, it will be deleted or destroyed.

Should you wish to obtain information on the specific retention period of any personal information we hold on you, please contact us on datacontrol@cclex.com.

8. Automated Individua Decision Making, Including Profiling

We do not undertake fully automated individual decision-making, including profiling, that has a legal or similarly significant effect.

9. Systems we Use

We maintain physical, electronic and procedural safeguards to protect personal non-public data.
Data transmitted to us through the contact forms on websites are transmitted in an encrypted form. Transmission of personal data via the internet is made at your own risk. We attempt to protect your personal data from unauthorized access by third parties by means of precautions such as pseudonymization, data minimization and observing deletion periods. Despite these protective measures, however, we cannot completely rule out unlawful processing by third parties.

Additionally, we herein outline programmes and systems we use in our collection, processing and storing of data:

we use an online portal managed and operated by us online to store and process information, data and details;

we use reCAPTCHA to detect any improperly use of our websites by automated mechanical processing. Certain personal data, including IP address, is thus transmitted to “Google”;

when someone visits our website/s we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. This information is processed in such a manner that it does not identify the user. Such information is only collected as per our Cookie Policy;

we use third party HR systems for the collection, processing and storing of information on prospective employees and employees. All third party systems we use are GDPR compliant;

we use industry standard tools in order to monitor and collect information on our website/s users’ needs and to optimize the use of our websites. The information collected does not identify the individual users;

Please contact datacontrol@cclex.com should you require more information on the GDPR compliance of such systems.

10. Links to Other Websites

Occasionally we may provide links to other websites for your convenience and information. This privacy policy does not cover the links within our websites linking to other websites. We are not responsible for such other website/s and/or any products or services they may offer. It is your responsibility to check how these websites treat your personal data and we encourage you to read the privacy statements on the other websites you visit.

11. Your Rights

Your principal rights under data protection law are:

right to be informed about the personal non-public data we collect and how we process it - this policy aims at providing you with this information;

right to access – you have the right to obtain confirmation that your personal non-public data is being processed and have the ability to access it;

right to modification – you have the right to request the modification of any personal non-public data we hold on you if it is incorrect or incomplete;

right of portability – you may ask us to forward to you the personal data we hold on you and which is portable at law in a structured, commonly used and machine-readable format or to transmit that data to another data controller, where it is technically feasible to do so

right to erasure – you have the right to request the removal of your personal data, which shall be deleted, unless there is a legal requirement or reason for us to continue processing or storing it;

right to restrict processing – you have a right to restrict or withdraw consent to the processing of your personal data. In such cases we are permitted to store your data, but not to process it further unless there is a legal requirement or reason for us to continue processing it;

right to object to processing for specific reasons at law, being the following:

processing based on legitimate interests or the performance of a task in the public interest or in the exercise of official authority,

direct marketing, including profiling to the extent that it is related to such marketing activities,

processing for scientific or historical research purposes or for the purpose of statistics; and

you have the right to file a complaint with supervisory authorities if your information has not been processed in compliance with GDPR.

For any requests in furtherance to the above, please contact us on datacontrol@cclex.com. We shall endeavor to reply at the very earliest and deal with your request by not later than 30 days from receipt by us of your request.

12. Changes to this Privacy Policy

We keep our privacy policy under regular review. If any change in this privacy policy will affect the way we collect or process any personal information, you will be provided with prior notice via email. Your continued use of services or websites after any change to this privacy notice will constitute your acceptance of such change.

13. How to Contact Us

We try to meet the highest standards when collecting and processing personal data. We encourage you to contact us if you think that our collection or processing of data may be improved. You may also file a complaint. We welcome your suggestions for improving our procedures and take any complaints seriously. This privacy policy was drafted with the aim of providing clarity and information about our data collection, processing and retention. We understand that, however, it does not provide exhaustive details. Please feel free to contact us to provide you with any additional information or clarifications.

At Chetcuti Cauchi, we are committed to the privacy of every person. We recognise that our clients, employees and people we work with, entrust important non-public personal data (as defined in the General Data Protect Regulation – GDPR, regulation 2016/679 of the European Parliament and Council of the 27 April 2016), to us, and we take seriously our responsibility to protect and safeguard this data. Our long-standing privacy policies and practices covering non-public personal data (herein also referred to as personal data or personal information) are described below.

1. Who are We?

Chetcuti Cauchi is a group of entities constituted and operating internationally and providing legal, tax, personal and business consultancy. Persons having a legal interest may obtain a list of the group entities by sending us an email on datacontrol@cclex.com.

Your non-public personal information is controlled by the group entity Chetcuti Cauchi Consulting Ltd, a company duly incorporated under the laws of Malta, having registration number C-47375. Your information is accessible to all group entities and processed by any one or more of such group entities depending on the services requested by you. All the entities of the Chetcuti Cauchi group follow and adhere to appropriate safeguards in line with EU law for the processing of non-public personal data.

2. What Data We Collect and How do we Use it

The non-public personal data that we collect and the processing of such information will vary on the basis of the purpose and scope of the particular use or engagement.

2.1 Visitors to our Websites

When someone visits our website/s we collect standard internet log information and details of visitor behaviour patterns. This information is collected through the use of cookies. You can read more about this in our Cookie Policy

This information is processed to improve website use, for our internal purposes including the administration of our website, market research, data analytics and compliance with our legal obligations, policies and procedures.

2.2 People who Request to Receive Updates and Information from Us

Chetcuti Cauchi frequently shares updates on legal developments and solutions that might affect you or your business through various means including mail, email and social media. If you consent to receive such updates, we will collect your name contact details and keep a record of the information we have sent you as well as any interactions related to such information sent to you. If you do not provide such information, we will not be able to provide you with updates.

The information so collected is used and processed to:

enter into, or perform, a contract with you;

remember your preferences or specific interests; and

for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our services.

2.3 People who Send us a Request for Information

Our websites provide for functions that allow users to request information about our services. The information collected through the request for information function on our websites is the following:

information you provide in the fields of the online form;

IP address;

date, time and data of our website/s access; and

identification data of the used browser.

You can also contact us through email, phone, or social media to request information. We will, therefore, be collecting any information you provide to us or available on the relative media used. We will also collect any correspondence in furtherance of the request. This information is necessary for us to be able to respond to your request. General and preliminary information will be provided to you without the requirement of any other additional personal information. An identification document and other personal information will be requested in order to comply with anti-money laundering rules and to be able to provide you detailed and specific information to your request. If you are not able or unwilling to provide us such information, we will not be able to provide any additional information.

Any personal information that you provide to us through these processes will be used and processed to:

provide you with the information you requested;

follow up with you on such request;

comply with any legal or regulatory requirement including compliance with anti-money laundering rules; and

for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our products.

2.4 People who Use our Services

When a client is being provided a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations, and information required to be able to provide the services. If you are not able or unwilling to provide us such information, we may not be able to provide the service/s.

The information collected varies depending on the service/s being provided. By way of example, for succession planning, we will typically collect all relevant data, including information about our client's personal assets, goals and preferences. Any personal information so collected will be used:

to provide you the relative service/s; and

to comply with any legal duty including compliance with anti-money laundering rules.

2.5 Prospective Employees

If you apply with us for a post we will collect the following information on you:

name and contact details;

your previous experiences and details of your previous jobs;

education details and transcripts;

referees names and contact details; and

answers to questions made to you during the recruitment process.

You are not obliged to provide this information although your application may be affected. We work with various recruitment agency and such information may be obtained from agencies you would have applied with. The information we collect will be used:

to progress your application;

to assess your suitability for employment;

to contact you on the progress of your application; and

comply with any legal or regulatory requirement.

We may request you to allow us to process your personal information to contact you for any other vacancy that may arise. Should you consent, we will contact you whenever a suitable vacancy will arise.
On acceptance of an employment offer of an employee, we may collect the following information:

identification document;

police conduct certificate or equivalent; and

health Information to ensure you are fit to work and to cater for any special conditions.

This additional information collected is processed to undertake pre-employment checks. This information is necessary to finalize you employment and onboarding process.

2.6 Employees

In addition to the information provided during the recruitment process, on employment, we will require you to provide the following details:

bank details to process salary payments; and

emergency contact details.

This information is required and will affect your employment if not provided. During your employment with us, other information will be collected:

you may make your contact details and other information available to the other employees. The systems provide control to the employees to update their profile with the information s/he would like other employees to access;

will be used to progress your employment with us and assess your performance; and

will be used to comply with any legal or regulatory requirement including registering you with the relevant employment authorities and paying National Insurance contributions and taxes on your behalf.

Our systems may prompt you to provide your marital status, number of children and other general interest questions. This information is not required and may not be provided. This information, if provided, will be used to improve your experience with us in furtherance of the social and family friendly initiatives that we may undertake from time to time.

2.7 Collaborators and Suppliers

We pride in choosing collaborators and suppliers that share our standards and commit to our level of privacy policies and practices.

On collaborators we work with and suppliers that provide us a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations and information required for the collaboration or the provision of the service by the supplier to us. If you as a collaborator or supplier are not able or unwilling to provide us such information, we will not be able to collaborate with you or use your services.

Any personal non-public information so collected will be used:

to contact you in furtherance of the collaboration or supply of service;

for our internal purposes including the administration of the flow of such information, data analytics, internal record keeping, financial and market research; and

to comply with any legal duty including compliance with anti-money laundering rules.

3. Legal basis for Processing

In line with the principle of data minimization and data economy, we only collect personal data and processes it on the following legal basis:

when you request our services or you are an employee, a collaborator or a supplier, our legal basis for collecting and processing information is based on and the requirements for the performance of a contract or to take steps to enter into a contract and/or legal regulations, mainly anti-money laundering regulations;

our legal basis for collecting and processing your personal data when you opt-in to receive information for us, or to participate in a conference, workshop is based on your consent;

we may collect and process information for legitimate interest, primarily to protect us from legal action or claims from third parties, including you and/or to protect our legal rights and/or those of our employees.

4. Recipients of Personal Data

We may disclose personal information legally in the following scenarios:

for the performance of a contract or to take steps to enter into a contract; and

to collaborating entities/persons that are required for the provision of services to you or with your consent.

group entities, including non-EU entities part of the group based on contractual terms issued by the European Commission (refer to section 6);

when there is a legal requirement to do so;

if we are requested to do so by a governmental or regulatory authority or by a court of competent jurisdiction;

to enforce our contractual terms;

in cases or merger or acquisition of our business or parts of it to the new owners;

to protect us and our employees from legal action or claims from third parties, including you;

5. Intra-Group Transfers of Data Within the EU/EEA

The free exchange of personal data between Member States is a fundamental aspect of the EU’s basic principles. This principle is also reflected in the GDPR, which excludes the restriction or prohibition of the free movement of personal data within the EU or EEA.

GDPR therefore allows for the transfer between EU/EEA companies subject to the legal basis as provided above in section 3 of this policy.

6. Transfers Outside the EU/EEA

The personal non-public data we collect from you may be collected stored or processed by or transferred between group entities, including our entities established outside the EU/EEA. To date, the European Commission has not determined the non-EU countries we are established in to have an adequate level of protection of personal data within the terms of article 45 of the GDPR.

In the absence of an Adequacy Decision, the GDPR provides that a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include contractual arrangements with the recipient of the personal data, using, the standard contractual clauses approved by the European Commission.

For this purpose, contractual arrangements based on contractual provisions as approved by the European Commission are in place to ensure effective legal remedies to you in relation to the processing of personal non-public data by our group entities outside the EU/EEA.

7. How Long do we Retain the Data

We retain the personal information that we collect from you only for as long as required for statutory, business, tax or legitimate interest purposes. Your information is retained in electronic or paper format or both. When it is no longer required, it will be deleted or destroyed.

Should you wish to obtain information on the specific retention period of any personal information we hold on you, please contact us on datacontrol@cclex.com.

8. Automated Individua Decision Making, Including Profiling

We do not undertake fully automated individual decision-making, including profiling, that has a legal or similarly significant effect.

9. Systems we Use

We maintain physical, electronic and procedural safeguards to protect personal non-public data.
Data transmitted to us through the contact forms on websites are transmitted in an encrypted form. Transmission of personal data via the internet is made at your own risk. We attempt to protect your personal data from unauthorized access by third parties by means of precautions such as pseudonymization, data minimization and observing deletion periods. Despite these protective measures, however, we cannot completely rule out unlawful processing by third parties.

Additionally, we herein outline programmes and systems we use in our collection, processing and storing of data:

we use an online portal managed and operated by us online to store and process information, data and details;

we use reCAPTCHA to detect any improperly use of our websites by automated mechanical processing. Certain personal data, including IP address, is thus transmitted to “Google”;

when someone visits our website/s we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. This information is processed in such a manner that it does not identify the user. Such information is only collected as per our Cookie Policy;

we use third party HR systems for the collection, processing and storing of information on prospective employees and employees. All third party systems we use are GDPR compliant;

we use industry standard tools in order to monitor and collect information on our website/s users’ needs and to optimize the use of our websites. The information collected does not identify the individual users;

Please contact datacontrol@cclex.com should you require more information on the GDPR compliance of such systems.

10. Links to Other Websites

Occasionally we may provide links to other websites for your convenience and information. This privacy policy does not cover the links within our websites linking to other websites. We are not responsible for such other website/s and/or any products or services they may offer. It is your responsibility to check how these websites treat your personal data and we encourage you to read the privacy statements on the other websites you visit.

11. Your Rights

Your principal rights under data protection law are:

right to be informed about the personal non-public data we collect and how we process it - this policy aims at providing you with this information;

right to access – you have the right to obtain confirmation that your personal non-public data is being processed and have the ability to access it;

right to modification – you have the right to request the modification of any personal non-public data we hold on you if it is incorrect or incomplete;

right of portability – you may ask us to forward to you the personal data we hold on you and which is portable at law in a structured, commonly used and machine-readable format or to transmit that data to another data controller, where it is technically feasible to do so

right to erasure – you have the right to request the removal of your personal data, which shall be deleted, unless there is a legal requirement or reason for us to continue processing or storing it;

right to restrict processing – you have a right to restrict or withdraw consent to the processing of your personal data. In such cases we are permitted to store your data, but not to process it further unless there is a legal requirement or reason for us to continue processing it;

right to object to processing for specific reasons at law, being the following:

processing based on legitimate interests or the performance of a task in the public interest or in the exercise of official authority,

direct marketing, including profiling to the extent that it is related to such marketing activities,

processing for scientific or historical research purposes or for the purpose of statistics; and

you have the right to file a complaint with supervisory authorities if your information has not been processed in compliance with GDPR.

For any requests in furtherance to the above, please contact us on datacontrol@cclex.com. We shall endeavor to reply at the very earliest and deal with your request by not later than 30 days from receipt by us of your request.

12. Changes to this Privacy Policy

We keep our privacy policy under regular review. If any change in this privacy policy will affect the way we collect or process any personal information, you will be provided with prior notice via email. Your continued use of services or websites after any change to this privacy notice will constitute your acceptance of such change.

13. How to Contact Us

We try to meet the highest standards when collecting and processing personal data. We encourage you to contact us if you think that our collection or processing of data may be improved. You may also file a complaint. We welcome your suggestions for improving our procedures and take any complaints seriously. This privacy policy was drafted with the aim of providing clarity and information about our data collection, processing and retention. We understand that, however, it does not provide exhaustive details. Please feel free to contact us to provide you with any additional information or clarifications.